echelon | fe2a40f78f2acb54fb1675bbe256de830d9c78ff813818d7335b98ce8b2bb3e6

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6512ee54cb87daf804d1d337785c947e.exe
Size

1.5MB
MD5

6512ee54cb87daf804d1d337785c947e
SHA1

6e29351ed23c4b14d731a36c789e08cea5f8eb5e
SHA256

fe2a40f78f2acb54fb1675bbe256de830d9c78ff813818d7335b98ce8b2bb3e6
SHA512

a7725fee1f1a90fe6b0571cf293b028f4128ac5baf62f64cc3b6ba20d7c412437918096c86b005411bb922b42f020c393980965f0ec7c16b000a8e0773da96b7
SSDEEP

24576:+DWHSb4Nc0yPFtkTb67tzzM9DvVIJV1rliDpL9Dh7qd2P69EuKA+R:t846kKzzKVIJ5+pLTpP699Kn

Score

10^/10

echelon discovery spyware stealer vmprotect

Malware Config

Signatures

Detects Echelon Stealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0007000000016111-41.dat	family_echelon
behavioral1/memory/2592-42-0x0000000001250000-0x0000000001416000-memory.dmp	family_echelon
behavioral1/files/0x0007000000016111-40.dat	family_echelon

Echelon
Echelon is a .NET stealer that targets passwords from browsers, email and cryptocurrency clients.
stealer spyware echelon

Executes dropped EXE 3 IoCs

Processes:

UltraHook newe.sfx.exeUltraHook newe.exeCrypt.exe

pid	Process
2264	UltraHook newe.sfx.exe
2696	UltraHook newe.exe
2592	Crypt.exe

Loads dropped DLL 7 IoCs

Processes:

6512ee54cb87daf804d1d337785c947e.exeUltraHook newe.sfx.exe

pid	Process
2016	6512ee54cb87daf804d1d337785c947e.exe
2016	6512ee54cb87daf804d1d337785c947e.exe
2016	6512ee54cb87daf804d1d337785c947e.exe
2264	UltraHook newe.sfx.exe
2264	UltraHook newe.sfx.exe
2264	UltraHook newe.sfx.exe
2264	UltraHook newe.sfx.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

VMProtect packed file 11 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/files/0x0032000000015d50-28.dat	vmprotect
behavioral1/files/0x0032000000015d50-31.dat	vmprotect
behavioral1/memory/2696-32-0x0000000000CD0000-0x0000000000ED0000-memory.dmp	vmprotect
behavioral1/files/0x0032000000015d50-30.dat	vmprotect
behavioral1/files/0x0032000000015d50-25.dat	vmprotect
behavioral1/files/0x0032000000015d50-22.dat	vmprotect
behavioral1/files/0x0032000000015d50-20.dat	vmprotect
behavioral1/files/0x0032000000015d50-19.dat	vmprotect
behavioral1/files/0x0007000000016111-41.dat	vmprotect
behavioral1/memory/2592-42-0x0000000001250000-0x0000000001416000-memory.dmp	vmprotect
behavioral1/files/0x0007000000016111-40.dat	vmprotect

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

Crypt.exe

pid	Process
2592	Crypt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Crypt.exe

description	pid	Process
Token: SeDebugPrivilege	2592	Crypt.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

6512ee54cb87daf804d1d337785c947e.exeUltraHook newe.sfx.exeUltraHook newe.exeCrypt.exe

description	pid	Process	procid_target
PID 2016 wrote to memory of 2264	2016	6512ee54cb87daf804d1d337785c947e.exe	28
PID 2016 wrote to memory of 2264	2016	6512ee54cb87daf804d1d337785c947e.exe	28
PID 2016 wrote to memory of 2264	2016	6512ee54cb87daf804d1d337785c947e.exe	28
PID 2016 wrote to memory of 2264	2016	6512ee54cb87daf804d1d337785c947e.exe	28
PID 2264 wrote to memory of 2696	2264	UltraHook newe.sfx.exe	29
PID 2264 wrote to memory of 2696	2264	UltraHook newe.sfx.exe	29
PID 2264 wrote to memory of 2696	2264	UltraHook newe.sfx.exe	29
PID 2264 wrote to memory of 2696	2264	UltraHook newe.sfx.exe	29
PID 2696 wrote to memory of 2592	2696	UltraHook newe.exe	30
PID 2696 wrote to memory of 2592	2696	UltraHook newe.exe	30
PID 2696 wrote to memory of 2592	2696	UltraHook newe.exe	30
PID 2592 wrote to memory of 2148	2592	Crypt.exe	32
PID 2592 wrote to memory of 2148	2592	Crypt.exe	32
PID 2592 wrote to memory of 2148	2592	Crypt.exe	32

C:\Users\Admin\AppData\Local\Temp\6512ee54cb87daf804d1d337785c947e.exe
"C:\Users\Admin\AppData\Local\Temp\6512ee54cb87daf804d1d337785c947e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe
  "C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe
    "C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\Crypt.exe
      "C:\Users\Admin\AppData\Local\Temp\Crypt.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2592 -s 996
        5⤵
        
        PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypt.exe

Filesize
131KB

MD5
a30f5a6e0c89bcecbc336d0eb85dee11

SHA1
c0eee1b2425621670789040fa59dd04b7d5a259a

SHA256
5fd576c64556dd1792f748e2e5f47912955463a62363645a6db04bc4946de02b

SHA512
3cb77a9c64c8df8aa149a82fa25f77297d4df0efebb06d69f2e56e842f687897f725205425369fbe30ca9946c3c07f0d6637c5f7b5c482b2c119f3b0d77843b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypt.exe

Filesize
169KB

MD5
df208e13f9ddb3164cc91d8aff2f4327

SHA1
98c9e5c035f1e327c4b69c233d58055493bb1239

SHA256
abd360db1c2edc2f5130f87b971a6df138c129db27e650fe606724e065b7e71e

SHA512
9936742ec77e4049674aeddd78288e32d4543583a4e8b651ba8fb3e6496d27951789ecf40bf445c2eddd14f327e88f60c68b7c46186d7ea81d4dffb712b7ddb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
108KB

MD5
6d845dfffead966aac9c197e89675cb5

SHA1
609628388fce3c61aa3c1ac13c8ee7234c2a83a2

SHA256
ed7fa472d8be3c959af637e9aa6ae67dd0613261ab4bd94a398e5b370f3818be

SHA512
0ce845fb22d3319ea7b58ac8ed6c6713578ecb7f37c3d09422cd837f640a23ba3a66ff21d467c75d12a2423c533837a97eeb8d8d2d38efa9eadfea5803f3b5a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
118KB

MD5
3a4696dab0180b2bbeced252cbc412b1

SHA1
1b3c19a2672286a21a5a452d0b976c522880af31

SHA256
1b638a12e70a4aef909873a1a9beeeeadcc1bc301f7138102d8ed4cabf71c38f

SHA512
c00b40dc0a716e58765eb67b10a3d66dbf44a230da9f4523242fec02458a810642e9ceb6e92f946ee1e229f58ec837ec1ba29f5c1b713c0b695b65b21debee0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
128KB

MD5
4f4ff5c769d942c4b5bed5934f67f382

SHA1
87594118a48a25be0a8dcecb5b22378bb99cb432

SHA256
7cccf956f76fbad9b176893c68ea8ed1793ec2bb48bb2142f27e82dd66cb744c

SHA512
db5f4d6dddfd350e2bd879a64eaa8c8f66a41c9f5efe2a096150b4e2bd019c4695a00030d088043adec1c9eddf97ec6cd15db063ae33a206effed4ce330323ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
115KB

MD5
c7e0b6f231247ee2b220c43cb6198506

SHA1
7ecdba64d9693fe22fe8f0116cbdc345828da437

SHA256
d9f81e4e378c90e2cecb800d787eeb1c02a54429fa4d83bd06adfa9b0f64ca62

SHA512
e17950fa69b610e6dd52c0628f323f6ca55415d1cdbb7b9be22610de9a55ed933962437df18a74db1302e9c35f0c0d3df72e4b447836055234e3ca50b7af3fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
47KB

MD5
88f8c85bab7ad81dbe9d30ebea5034b2

SHA1
132baed323e400b1efe97afdf800c1e7676ec0ec

SHA256
e3f9d5479c880d4cbb064071ca15824bbd717ea237a889a05c84456b3311a2ec

SHA512
af55d3d1d2bb08be000ce3142280835dc2e32fb1e90098a150385e80fb561bc171590499bb3261c52b77ef22750cb9ba72450b0c3d8146db85afb31fe7fca2e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
378KB

MD5
58c2ff693d1eadf6e08135771c3bd5ff

SHA1
7a704fa5a4bd8282bbc9bddb83a818fd7c492eee

SHA256
62ab7e984aca933614d139b00c15cf268f877b55243ccd21c1948f0e84beef32

SHA512
b7c2b73f3207b81a24b57643d6e5131dd3ca4f90f39d8b83f53398e3f4db2bc429d2c9b8e2112e35b2eff36f89faff03362ed35b117059aef55424a9f2e0ea3d

Download Submit
\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
48KB

MD5
a4502f296828156ad5fbcd8860572f2a

SHA1
8f53d649c5657a6c25c7e07d92776042359b2c05

SHA256
507d914c13b0ae9381fc3ca7c76590b515a59a56bf272b904479138beaa7ada1

SHA512
183ef1cca76f58bf28a11485ef976092d941ddaec97643baad35e7b6e6050d51a9c8020dafef4eff67ab07dad5ecf415eebe4616a40ba7e5c7868e7d290d2110

Download Submit
\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
51KB

MD5
1161aebae92bef70c935c0bb1532f28b

SHA1
c04bfe8568396f05fe65d4ae38a2c7ccbf6131f3

SHA256
025932921b20fccdbcf1c2aa83a985ec0aeb3e30a347c20023bfc1fdf8f57b75

SHA512
1884480f2b03a7cf587dbdf3cf91109b19447a4ad7fa017dcc5828da238045b10450a8819c907b23a0d0fe92d1901e5963ec63db1ceb1f1885fdb7655981011d

Download Submit
\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
53KB

MD5
51ada084f435d440a71404c4e2665be4

SHA1
322ae05c9dfba6b8267f525228f8c3a0c6f24dbb

SHA256
41b778f628dfd6957dc0837ea1fe940731dfa0be72a58f4fe6a62a4e4a1c4c38

SHA512
5ddffed338649a6f6db3d14142f7e5d6ed79196e7ecf66e125dbc8018f7b0be1917300100590646b8f73872f5fd9382bc9b034443b820d04ecaf774d28c96b43

Download Submit
\Users\Admin\AppData\Local\Temp\UltraHook newe.exe

Filesize
81KB

MD5
5dc36c34ae00905212cb9b99c6196c03

SHA1
579945f6d3cdeb1284f6b65f5662c0e5d638b2a3

SHA256
8bf862b231fa1a8913332d3dbd8d7eabcf90feee35334b2f69ce4333a45b5496

SHA512
ca45d9ac829236eaf0b36c2984cb951b15a7cbb4b8b5a7ece9af5d8d6049eb79e191aa2a5c0ed0f68baff91baecec86eaffcfc5b475d683fd18160df92d41ed4

Download Submit
\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
69KB

MD5
117b65042abf66cdf77f38b80472740d

SHA1
b8cbace7ac8971f30c7d135f073cde90d287638f

SHA256
8956af5ccffce267b97b39ca8aef5210d47d9306a5ad3f509531500b965168d3

SHA512
0f27c53d64a691bc9eab3c92ab933f05cd20d40b6187361d74893b0f5cee8ab0fa8f00fe587dd1fbaa3ce886af13c0fa7dc40e080744e29779e6f4c432f78067

Download Submit
\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
74KB

MD5
7653d381f4a9f1c1a46413728e34027b

SHA1
1fcc5c6ce768ed624e214fddf77b71807e05fe84

SHA256
c14fdfe8b497d954e869b6ae438da0609a4b1650ffd97dc8e11e23f5756e6425

SHA512
03a1c8d0625e6c83890f55cf07cea334da4b0f4c1719dac28a92bff9e8fa5bcd64eaa6dd027e0455b22fa5913c3f859ee0b161014ac0d0d4436a47027250fbc5

Download Submit
\Users\Admin\AppData\Local\Temp\UltraHook newe.sfx.exe

Filesize
92KB

MD5
18b64d325451dbda84eb7213fbc84b9f

SHA1
eab826689eb15cc0ae19718acd2dda1cdcee91c3

SHA256
db026dea885f36a9aee23f3ed7e5f57f409dfca23c7793330aef8d3e8c3d85ed

SHA512
8f764f2c6eaad04d5e0e4f78ee269cf9a3c3bea6e66f7553bc065a4d6d269bbac73c6c053bd760d604c0aa4b40c7764afc309e4314464c44d3b63ac1c4b95320

Download Submit
memory/2592-42-0x0000000001250000-0x0000000001416000-memory.dmp

Filesize
1.8MB

Download
memory/2592-69-0x000000001B800000-0x000000001B880000-memory.dmp

Filesize
512KB

Download
memory/2592-68-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2592-46-0x0000000000B30000-0x0000000000BA6000-memory.dmp

Filesize
472KB

Download
memory/2592-45-0x000000001B800000-0x000000001B880000-memory.dmp

Filesize
512KB

Download
memory/2592-44-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-36-0x0000000000C50000-0x0000000000CD0000-memory.dmp

Filesize
512KB

Download
memory/2696-43-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-32-0x0000000000CD0000-0x0000000000ED0000-memory.dmp

Filesize
2.0MB

Download
memory/2696-34-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download
memory/2696-35-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2696-33-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

Filesize
9.9MB

Download